I'm making a mobile app that allows a registered user to make a list of favourite email addresses.
I pretend to make the authentication process through openId, so the user can login to the system using its gmail account.
The registered users of the system can insert many email addresses to a database.
Then I have many controller methods.
One of them is getUsersByName(admin_email), which receives the email of a registered user and returns a list of email adress inserted by that user.
Now, the problem is that I don't want everyone can access to getUsersByName(admin_email) and retrieve the response related to every registered user.
What options do I have so only the user that inserted the email addresses can access to the list related to it.
For instance, if a registered user calls getUsersByName(admin_email), the server responses with the right list, but if someone not registered makes an http request to getUsersByName(admin_email), the server responses with a JSON error object.
My backend is in django and I want to make the client in Android.
I hope I have been clear enough.
Thanks in advance!
The easiest way to achieve what you're looking for is this and I'm going to assume Django 1.6 and that you're using a functional view and not a Class based View.
@login_required
def getUsersByName(request):
user_email = request.user.email
all_users_emails = UserEmail.objects.filter(added_by=user_email)
return render_to_response(...)
What this does is that this view is now protected by the decorator @login_required from being accessed if you're not logged in, i.e. you have to be registered and logged in, in order to view your added emails. It will also redirect to your login view if an unregistered users tries to gain access to the view.
Furthermore by doing it like this, your users will never be able to send in others email addresses in order to gain access to them.
For Class based views you can take two approaches, both explained here